[dns-operations] Another possible .gov validation problem?

Mark Andrews marka at isc.org
Sat Feb 12 08:36:48 UTC 2011


In message <7FC8D4F4-3D71-4A3F-BA2A-25496572135A at nxdomain.com>, Cricket Liu wri
tes:
> I'm seeing what looks like another validation problem in .gov, but (I think) 
> due to problems below nasa.gov.
> 
> When I try to resolve atmos.pds.nasa.gov, I get a validation failure.  BIND (
> 9.7.2) logs the following:
> 
> Feb 11 21:33:42 bigmo named[67012]: lame-servers: info: error (no valid RRSIG
> ) resolving 'atmos.pds.nasa.gov/DS/IN': 198.116.4.181#53
> Feb 11 21:33:42 bigmo named[67012]: lame-servers: info: error (no valid RRSIG
> ) resolving 'atmos.pds.nasa.gov/DS/IN': 198.116.4.189#53
> Feb 11 21:33:42 bigmo named[67012]: lame-servers: info: error (no valid RRSIG
> ) resolving 'atmos.pds.nasa.gov/DS/IN': 198.116.4.185#53
> Feb 11 21:33:42 bigmo named[67012]: lame-servers: info: error (no valid DS) r
> esolving 'atmos.pds.nasa.gov/A/IN': 198.116.4.181#53
> Feb 11 21:33:42 bigmo named[67012]: dnssec: info: validating @0x8373000: atmo
> s.pds.nasa.gov A: bad cache hit (atmos.pds.nasa.gov/DS)
> Feb 11 21:33:42 bigmo named[67012]: lame-servers: info: error (broken trust c
> hain) resolving 'atmos.pds.nasa.gov/A/IN': 198.116.4.185#53
> 
> Apparently BIND is expecting pds.nasa.gov to be secure, but it's not:
> 
> $ dig @ns1.nasa.gov. any pds.nasa.gov. +norec 
> 
> ; <<>> DiG 9.7.2 <<>> @ns1.nasa.gov. any pds.nasa.gov. +norec
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60070
> ;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 3
> 
> ;; QUESTION SECTION:
> ;pds.nasa.gov.			IN	ANY
> 
> ;; ANSWER SECTION:
> pds.nasa.gov.		3600	IN	A	128.149.132.22
> pds.nasa.gov.		3600	IN	NS	ns3.nasa.gov.
> pds.nasa.gov.		3600	IN	NS	ns1.nasa.gov.
> pds.nasa.gov.		3600	IN	NS	ns2.nasa.gov.
> pds.nasa.gov.		3600	IN	SOA	ns1.nasa.gov. dns.nasa.gov. 200
> 8041906 10800 3600 604800 86400
> 
> Note the absence of a DS RR.
> 
> However, an explicit query for a DS RR returns something surprising:
> 
> $ dig @ns1.nasa.gov. ds pds.nasa.gov. +norec
> 
> ; <<>> DiG 9.7.2 <<>> @ns1.nasa.gov. ds pds.nasa.gov. +norec
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3502
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;pds.nasa.gov.			IN	DS
> 
> Note the NXDOMAIN RCODE.
> 
> The response to a DNSKEY query looks saner:
> 
> $ dig @ns1.nasa.gov. dnskey pds.nasa.gov. +norec
> 
> ; <<>> DiG 9.7.2 <<>> @ns1.nasa.gov. dnskey pds.nasa.gov. +norec
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30896
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;pds.nasa.gov.			IN	DNSKEY
> 
> Any chance the weird DS response is throwing the validator off?  Or is there 
> something else wrong that I haven't spotted?

pdl.nasa.gov.		14400	IN	NSEC	people.nasa.gov. NS RRSIG NSEC

pds.nasa.gov does not exist according to nasa.gov.  Looks like someone forgot
to add the delegation.  The only reason named gets this far is the zone
is served by the same servers as nasa.gov.
 
> cricket
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list